Api Security Best Practices

Step 2: Input Validation & Sanitization

Protect against injection attacks:

• Validate all input data
• Sanitize user inputs
• Use parameterized queries
• Implement request schema validation
• Prevent SQL injection, XSS, and command injection

Step 3: Rate Limiting & Throttling

Prevent abuse and DDoS attacks:

• Implement rate limiting per user/IP
• Set up API throttling
• Configure request quotas
• Handle rate limit errors gracefully
• Monitor for suspicious activity

Step 4: Data Protection

Secure sensitive data:

• Encrypt data in transit (HTTPS/TLS)
• Encrypt sensitive data at rest
• Implement proper error handling (no data leaks)
• Sanitize error messages
• Use secure headers

Step 5: API Security Testing

Verify security implementation:

• Test authentication and authorization
• Perform penetration testing
• Check for common vulnerabilities (OWASP API Top 10)
• Validate input handling
• Test rate limiting

Examples

Example 1: Implementing JWT Authentication

## Secure JWT Authentication Implementation

### Authentication Flow

1. User logs in with credentials
2. Server validates credentials
3. Server generates JWT token
4. Client stores token securely
5. Client sends token with each request
6. Server validates token

### Implementation

#### 1. Generate Secure JWT Tokens

\`\`\`javascript
// auth.js
const jwt = require('jsonwebtoken');
const bcrypt = require('bcrypt');

// Login endpoint
app.post('/api/auth/login', async (req, res) => {
try {
const { email, password } = req.body;

    // Validate input
    if (!email || !password) {
      return res.status(400).json({
        error: 'Email and password are required'
      });
    }

    // Find user
    const user = await db.user.findUnique({
      where: { email }
    });

    if (!user) {
      // Don't reveal if user exists
      return res.status(401).json({
        error: 'Invalid credentials'
      });
    }

    // Verify password
    const validPassword = await bcrypt.compare(
      password,
      user.passwordHash
    );

    if (!validPassword) {
      return res.status(401).json({
        error: 'Invalid credentials'
      });
    }

    // Generate JWT token
    const token = jwt.sign(
      {
        userId: user.id,
        email: user.email,
        role: user.role
      },
      process.env.JWT_SECRET,
      {
        expiresIn: '1h',
        issuer: 'your-app',
        audience: 'your-app-users'
      }
    );

    // Generate refresh token
    const refreshToken = jwt.sign(
      { userId: user.id },
      process.env.JWT_REFRESH_SECRET,
      { expiresIn: '7d' }
    );

    // Store refresh token in database
    await db.refreshToken.create({
      data: {
        token: refreshToken,
        userId: user.id,
        expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000)
      }
    });

    res.json({
      token,
      refreshToken,
      expiresIn: 3600
    });

} catch (error) {
console.error('Login error:', error);
res.status(500).json({